Policy IAM user Appstream2.0


Is it possible to give access only to a certain image, stack, or fleet with IAM policies?

Do you have any examples?

I tried with a policy but it returns this error:

User: arn:aws:iam::xxxxxxxxx:user/xxxxxxxx is not authorized to perform: appstream:DescribeFleets on resource: arn:aws:appstream:eu-central-1:xxxxxxxxxxx:fleet/* because no boundary policy allows the appstream:DescribeFleets action

My need is: in an AWS account, an IAM user must only see some image/fleet/stack.


1 Answer

The AppStream 2.0 console doesn't currently support restricting what a user can see based on tags or other resource boundary. For example, the Stacks page calls the AppStream 2.0 API "DescribeStacks" without specifying any boundaries or tags. You can use tags to prevent a user from updating an AppStream 2.0 resource without specify a specific tag - for example, if a user/role should only be able to modify resources with a tag key of "Stage" and value of "NonProd", you can specify that as a condition.

answered 2 years ago
  • thanks for your answer MuraliAtAWS. So a policy with these controls (see example) is not possible?

    "Resource": [ "arn:aws:appstream:eu-central-1:123.....:image-builder/imagebuilder01" "arn:aws:appstream:eu-central-1:123.....:stack/stack01", "arn:aws:appstream:eu-central-1:123.....:app-block/", "arn:aws:appstream:eu-central-1:123.....:fleet/fleet1", "arn:aws:appstream:eu-central-1:123.....:application/", "arn:aws:appstream:eu-central-1:123.....:image/image01" ], "Condition": { "StringEqualsIfExists": { "aws:username": "user01" } }

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions